Re: Multiple Where Clause

itsmevic · ‎06-24-2020

I'm running the below query across the network and would like it to pinpoint that search towards two users rather than run the search across the entire network and have hundreds of users. When I use the "where" clause and enter in both users that I'd like to search under, nothing comes back. The moment I remove the "where" clause, data comes back. Should my where clause positioned elsewhere up the pipe? Or is it just a matter of incorrect syntax?

| from datamodel:"Authenticate"
| eval host=upper(host)
| search [| inputlookup hosts_upper.csv]
| search user!=svc* NOT src_user IN (system, dbagent, svc*)
| search NOT signature_id IN (4769, 4672, 4648)
| eval "Logon Type" = case(Logon_Type == 2, "Interactive", Logon_Type == 3, "Network", Logon_Type == 4, "Batch",
Logon_Type == 5, "Service", Logon_Type == 7, "Unlock", Logon_Type == 8, "Clear Text",
Logon_Type == 9, "New Credentials", Logon_Type == 10, "Remote Interactive", Logon_Type == 11, "Cached Interactive")
| fillnull value=NULL "Unknown"
| table _time action host user src app Logon_Type "Logon Type" host signature sourcetype
| where user="johndoe" OR user="janesmith"
| sort -_time

richgalloway · ‎06-24-2020

It's best to put your where clause as far up the pipe as possible to improve performance. Doing so will have no bearing on the results, however.

Your syntax looks fine, although I prefer to put parentheses around compound where clauses.

Are you sure you have the names correct?

Do you get the right results when you have just one user name in the where clause?

Here's an alternative where clause to try.

| where (match(user, "johndoe") OR match(user, "janesmith"))

---
If this reply helps you, Karma would be appreciated.

Multiple Where Clause

other

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!